Fix invitations to lower roles (#58)

Adjusted the SQL query to include a condition for roles at the same hierarchy level. This ensures that users with the same level of permission can properly manage invitations, improving the accuracy of role-based access control.
2024-08-30 20:43:17 +08:00
parent e23489d308
commit 5fada83913
2 changed files with 26 additions and 4 deletions
--- a/apps/web/supabase/migrations/20221215192558_schema.sql
+++ b/apps/web/supabase/migrations/20221215192558_schema.sql
@@ -1234,7 +1234,7 @@ select

 -- INSERT(invitations):
 -- Users can create invitations to users of an account they are
-- a member of  and have the 'invites.manage' permission AND the target role is not higher than the user's role
+-- a member of and have the 'invites.manage' permission AND the target role is not higher than the user's role
 create policy invitations_create_self on public.invitations for insert to authenticated
 with
  check (
@@ -1247,14 +1247,21 @@ with
      account_id,
      'invites.manage'::public.app_permissions
    )
-    and public.has_same_role_hierarchy_level (
+    and (public.has_more_elevated_role (
      (
        select
          auth.uid ()
      ),
      account_id,
      role
-    )
+    ) or public.has_same_role_hierarchy_level(
+      (
+        select
+          auth.uid ()
+      ),
+      account_id,
+      role
+    ))
  );

 -- UPDATE(invitations):
--- a/apps/web/supabase/tests/database/invitations.test.sql
+++ b/apps/web/supabase/tests/database/invitations.test.sql
@@ -8,6 +8,7 @@ select no_plan();
 select makerkit.set_identifier('test', 'test@makerkit.dev');
 select makerkit.set_identifier('member', 'member@makerkit.dev');
 select makerkit.set_identifier('custom', 'custom@makerkit.dev');
+select makerkit.set_identifier('owner', 'owner@makerkit.dev');

 select tests.authenticate_as('test');

@@ -36,6 +37,20 @@ select lives_ok(
    'member should be able to create invitations for members or lower roles'
 );

+-- test invite exists
+select isnt_empty(
+    $$ select * from public.invitations where account_id = makerkit.get_account_id_by_slug('makerkit') $$,
+    'invitations should be listed'
+);
+
+select tests.authenticate_as('owner');
+
+-- check the owner can invite members with lower roles
+select lives_ok(
+    $$ insert into public.invitations (email, invited_by, account_id, role, invite_token) values ('invite3@makerkit.dev', auth.uid(), makerkit.get_account_id_by_slug('makerkit'), 'member', gen_random_uuid()) $$,
+    'owner should be able to create invitations'
+);
+
 -- authenticate_as the custom role
 select tests.authenticate_as('custom');

@@ -54,7 +69,7 @@ insert into public.role_permissions (role, permission) values ('custom-role', 'i
 select tests.authenticate_as('custom');

 select lives_ok(
-    $$ insert into public.invitations (email, invited_by, account_id, role, invite_token) values ('invite3@makerkit.dev', auth.uid(), makerkit.get_account_id_by_slug('makerkit'), 'custom-role', gen_random_uuid()) $$,
+    $$ insert into public.invitations (email, invited_by, account_id, role, invite_token) values ('invite4@makerkit.dev', auth.uid(), makerkit.get_account_id_by_slug('makerkit'), 'custom-role', gen_random_uuid()) $$,
    'custom role should be able to create invitations'
 );